For Advocate General of Court of Justice of EU, controller can be held liable for unlawful disclosure of personal data

Advocate General Giovanni Pitruzzella considers that unlawful access to personal data by a third party leads to liability for presumed fault on the part of the controller and may give rise to non-material damage for which compensation can be awarded. Its conclusions, delivered to the Court of Justice of the EU on Thursday 27 April, follow a questioning by the Bulgarian Supreme Administrative Court on the interpretation of the General Data Protection Regulation (GDPR) in case C-340/21 (“Natsionalna agentsia za prihodite”).

Hacked data

In 2019, as a result of the hacking of the Bulgarian National Agency for Public Revenues (NAP) computer system, tax and social insurance information regarding millions of people was published on the internet. Many citizens brought proceedings against the NAP for compensation for non-material damage in the form of worry and fear that their personal data would be misused. In their view, the NAP, as controller, has not fulfilled its obligation to adopt appropriate measures to ensure the security of their data.

The court of first instance rejected the claim, holding that NAP was not responsible for the dissemination of the data, that the burden of proof for the inappropriateness of the measures was on the citizens, and that non-material damage was not eligible for compensation. The Bulgarian Supreme Administrative Court asked the Court of Justice of the EU to clarify its interpretation of the GDPR in this case.

Conclusions

Mr Pitruzzella recalls that the data controller is “obliged to implement appropriate technical and organisational measures to ensure that processing of personal data is performed in accordance with the Regulation (GDPR)” and that the appropriateness of these measures is assessed on a case-by-case basis.

Thus, in his view, the existence of a personal data breach does not, on its own, lead to the conclusion that the measures are inappropriate. However, it is up to the controller to prove that the measures were adequate.

Furthermore, the fact that the breach of the GDPR was committed by a third party does not in itself exempt the controller from liability. In order to be exonerated, the controller must demonstrate “to a high standard of proof” that the harmful event is not attributable to him/her.

Finally, as far as obtaining compensation is concerned, the party concerned can claim it, provided that he or she has demonstrated the existence of detriment consisting in the “fear of a potential misuse of one’s personal data in the future” and that this represents a matter of “actual and certain emotional damage”.

To see the Conclusions (in French): https://aeur.eu/f/6ky (Original version in French by Hélène Seynaeve)